Threats known and unknown loom in 2020 elections
It remains to be seen whether election officials and federal agencies will be facing the same type of threats targeting election infrastructure and online discourse as they experienced in 2016 -- or if they should expect the unexpected.
U.S. cybersecurity officials are gearing up to prevent foreign malign influence campaigns from impacting the 2020 vote.
Experts are divided over whether local election officials and federal agencies should expect the same type of threats targeting election infrastructure and online discourse as they experienced in 2016 or if they should expect the unexpected.
On Election Day in 2018, federal officials said they had no indication that voting infrastructure was successfully targeted by cyberattacks or other efforts at manipulation designed to strike voters from the rolls, change vote counts or hinder officials from completing election tallies.
But the issue of influence campaigns and as yet unknown vectors of attack remain ripe for discussion as the nation heads into the 2020 vote.
Matthew Masterson, a senior advisor at DHS who focuses on election security, said at an April 23 cybersecurity conference that he spends "a lot of time thinking through that undermining confidence [angle] and ways that we can build that resilience, because the reality is you don't actually even have to touch a system to push a narrative that undermines confidence in the elections process."
Liisa Past, former Chief Research Officer at the Cyber Security Branch of the Estonian Information System Authority, said at the same event that election influence campaigns operate on multiple fronts.
"It really illustrates the adversarial activity, which is that they're throwing spaghetti at the walls," said Past. "Cyber is one wall, misinformation, disinformation and social media is another wall. We're having to assume that using proxies and…useful idiots is another wall and I'm afraid that behind it there might also be an element of blackmail and personal manipulation."
The challenge, she said, is "how do you come up with a risk management model that clearly has the same degree of flexibility as the adversary's tactics have?"
The Mueller report and related indictments against members of Russia's Internet Research Agency, documented a wide-reaching effort on the part of Russian intelligence agencies to target state boards of elections, secretaries of state, county government officials and private technology companies responsible for making election-related software and hardware in the lead up to the 2016 presidential election.
Cybersecurity officials at DHS and Cybersecurity and Infrastructure Security Agency have built relationships and information sharing agreements with all 50 states and more than 1,400 local entities. Chris Krebs, Director of CISA, joked earlier this week that he knows the ties between DHS and the election community are stronger today because he still regularly receives texts from secretaries of state and election officials at all hours of the night, asking questions and requesting resources.
Still, elections are mostly administered at the county or local level and by DHS' own count, there are still thousands of localities left to contact. In March 2019, a Joint Intelligence Bulletin issued by the FBI and DHS warned that in fact all 50 states had their election infrastructure probed and targeted by Russian hackers in the lead up to 2016, something that was long suspected.
Additionally, according to an April 24 New York Times report, senior White House officials thwarted an effort by former DHS chief Kirstjen Nielsen to create a cabinet-level election security team to elevate the issue.
But the work of securing election infrastructure is taking place at the state level, where elections are conducted.
Lawrence Norden, Deputy Director of the Brennan Center for Justice Democracy Program, told FCW "there's no question we're in a better place" security-wise compared to 2016, citing the steady (if sluggish) progress made replacing paperless voting machines over the past three years as well as heightened awareness of the treat on the part of government, technology vendors, election officials and the media.
"For things where they were apparently successful in 2016 with spear-phishing attacks…you would hope that's less likely to happen" in 2020 due to greater education about the tactic in the election community, he said.
Efforts to counter disinformation and influence campaigns, as well as state-sponsored hacking and leaking efforts targeting political campaigns, remain a work in progress.
Krebs told a House Homeland Security panel in February that social media companies "deserve some credit" for stepping up their efforts in the 2018 election cycle. He said major platforms sent representatives to a DHS election security war room in Virginia on election day, coordinating with election officials about blatant instances of misinformation posted online (such as claims that voting machines were casting incorrect votes) and pulling down posts in real time.
Still, policymakers and advocacy groups continue to pillory social media companies for what they perceive as a lack of urgency when it comes to combatting or taking down misinformation or disinformation on their platforms.
"They played a part," said Krebs. "There's always much more to do here and keep in mind that the adversary will continue to pivot, pivot, pivot as we raise defenses and block off avenues."
Here again, DHS has indicated a willingness to enter the fray, offering vulnerability scans and other protection services to any political campaign that wants it. Masterson said "we haven't had anyone decline to have a call with us or not be excited about the resources that we're offering" when speaking with presidential campaigns.
The sooner the better. Cybersecurity experts point out that the early stages of a political campaign's operations are often they're most vulnerable, marked by high staff turnover, shoestring budgets and a lack of professional organization and sophistication that normally translates to good digital security practices.
Case in point: Research from the Global Cyber Alliance found that only four of 14 Democratic presidential campaigns were utilizing Domain-based Message Authentication, Reporting and Conformance, a tool designed to prevent outside parties from spoofing the campaign's emails.
Looking abroad could also yield clues as to how information operations have adapted and evolved against new protections. Ukrainian intelligence agencies claimed in March that Russian operatives sought to buy or rent Facebook accounts from Ukrainian citizens in order to avoid new security measures put in place after 2016. American disinformation researchers have pointed to similar tactics of co-opting native social media accounts and groups detailed in the Mueller report.
"We can't just plug the holes that we've identified because you just don't fight wars that way. You should expect and we see it in cyberattacks…they develop, they mutate," said Norden. "Adversaries who want to influence an election are going to find new ways. Having said that, we haven't even plugged the very obvious holes that we do have."
Past said what worries her most is the "strategic silence" she has witnessed over the past year by state actors like China and Russia.
The 2018 mid-terms were notably quieter than 2016, with and Past and Norden said there are not many recent examples over the past year or two to draw lessons from. Still, Past said that although policymakers should prepare for new tactics and strategies, it's not clear that a foreign influence or election hacking operation would need to tread new ground, or stray far from the plan Russia ran in 2016.
"There's been no convincing response, government-wise or internationally or diplomatically, that would tell any nation state…that they should [deviate] from the Russian playbook, and most of the costs around those attacks has become less, not more, over the last few years," said Past.